The effect of the IT/OT gap on the NIS 2 implementation

Andersson, Niklas

January 2023

Cyber attacks are steadily increasing, and their impact is becoming more significant. To combat this, the European Union has created directives to enhance the cyber security in critical services in the Union, one example being the NIS 2 directive. The directive comes into force during the fourth industrial revolution, where the Operational Technology (OT) is connected to the Information Technology (IT). This creates new vulnerabilities in the OT environments since they can now suffer from cyber attacks. The historical ways of securing OT and IT environments differ, which has caused what is called the IT/OT gap now that they are converging. In order to implement the NIS 2 directive and to enhance the cyber security of the entire organization, the IT/OT gap needs to be minimized. The problem this study then aims to investigate is how the effects of the IT/OT gap can be reduced in the implementation of the NIS 2 directive. This was done by answering the research question: To what extent is the IT/OT gap a challenge for the implementation of the NIS 2 directive in Sweden? The sub-question: In what areas is the IT/OT gap problematic for the implementation of the NIS 2 directive in Sweden? To gain an answer to the research question semi-structured interviews were conducted with respondents with knowledge in IT and OT security as well as the NIS 2 directive. The interviews were transcribed and analyzed using a thematic analysis. The thematic analysis resulted in 6 themes, Need for technical solutions, Lacking resources, Differences in security culture, Lack of cooperation, Supervisory authority and Standards, and six subthemes. The result showed that the IT/OT gap is a challenge for the implementation of the NIS 2 directive in a varying degree depending on the company. Further, it was shown that the IT/OT gap is most likely a problem in the areas regarding the supervisory authority, lacking resources, and cooperation. To comply with the directive and, more importantly, raise the level of cyber security, organizations and companies must handle all their risk in both IT and OT environments. The OT and IT personnel will need to talk to each other and collaborate to do it, and that might be a significant first step to minimizing the IT/OT gap in the long term.

NIS2 Directive

IT/OT gap

OT security

IT security

Computer Sciences

Datavetenskap (datalogi)

SVENSKA VERKSAMHETERS UTMANINGAR MOT ETT CERTIFIKAT INOM INFORMATIONSSÄKERHET : En fallstudie om svenska verksamheters utmaningar för att certifiera sig enligt ISO 27001-standarden / SWEDISH ORGANIZATIONS CHALLENGES TOWARDS A CERTIFICATE WITHIN INFORMATION SECURITY : A case studie about Swedish organizations challenges to gain a certificate according to the ISO 27001 standard.

Moffat, Hanna

January 2023

I detta examensarbete är syftet att undersöka svenska verksamheters utmaningar i att uppnå en ISO 27001-certifiering med sitt arbete inom informationssäkerhet. Digitala medier och verktyg är numera en stor del av samhällsviktiga verksamheters tjänster samt operationer och det har bidragit till stora möjligheter såväl som stora sårbarheter. ISO 27001-certifieringar är den standard som ligger till grund för säkerhetsskyddslagen såväl som NIS-direktivet vilket gör att det är en standard som svenska verksamheter kan applicera. Genom bakgrunden ges en inblick i vad informationssäkerhet är och hur det står i relation med cybersäkerhet. Bakgrunden innehåller även en introduktion till den svenska lagstiftningen inom informationssäkerhet såväl som ISO 27001-standarden för att belysa vad svenska verksamheter har att förhålla sig till när det kommer till sitt arbete med informationssäkerhet. I problemformuleringen lyfts de aktuella hoten och myndigheters uttalanden inom informationssäkerhet i Sverige och hur svenska verksamheter brister i dessa. Detta i kombination med den tidigare forskningen om hur utmaningar inom ISO 27001-certifieringar har tagit sitt uttryck för andra verksamheter. Metoden redovisar hur kvalitativa intervjuer använts som verktyg för datainsamling till fallstudien men även hur det tagit sitt uttryck och beskriver processen – från förberedelse till läsbar produkt, vilket är detta examensarbete. I analysen ställs den insamlade datan i relation till tidigare forskning samt aktuella händelser för att se vilka utmaningar svenska verksamheter har för att uppnå en ISO 27001-certifiering. Resultatet baseras på den insamlade datan då det är svenska verksamheters utmaningar som är aktuellt för fallstudien. Det resulterade i fyra utmaningar: motivation, tid och ekonomi, bransch samt komplexitet. Dessa utmaningar och dess bidragande faktorer redovisas i text såväl som figurer. Somliga av dessa utmaningar är utmaningar som lyfts i tidigare forskning, vilket gör att de även kan appliceras som utmaningar för svenska verksamheter. Uppsatsen avslutas med en diskussion där fallstudiens resultat diskuteras i olika perspektiv – samhälleliga, etiska samt vetenskapliga. Diskussion om val av metod, studiens resultat samt förslag på framtida forskning lyfts, där det diskuteras om hur lagar samt standarder inom informationssäkerhet är svåra att implementera samt förstå och om det ens är möjligt att göra det lättare.

Information Systems

Nu får det vara slutlekt : Cybersäkerhetskraven för privata aktörer i ljuset av NIS2-direktivet / The Fun is Over : Cybersecurity Requirements for the Private Sector in light of the NIS2 Directive

Dison, Ellinor

January 2023

Cybersecurity threats have grown to become a global threat to private actors and states. While work processes are becoming more efficient, rapid technological developments are exposing network and information systems to vulnerabilities. The private sector plays a significant role in keeping the EU and Sweden safe in cyberspace since technological development is essentially controlled by private actors. When it comes to socially important activities, private actors both own and operate large parts of the market, which in turn means that attacks on private actors affecting trade secrets can pose a threat to market competition and economic prosperity. This thesis maps out how the EU has chosen to combat this with the NIS and NIS2 Directives. Specifically, this thesis maps out changes in cybersecurity requirements for private actors providing digital solutions in the light of NIS2. The previous NIS has shown to be inherently flawed with regards to the EU goal of achieving a high common level of security for network and information systems. The need for renewed legislation is therefore great and, as the investigation shows, NIS2 entails a change in the content, structure, and scope of important and essential entities. In short, the NIS2 Directive requires entities to perform their due diligence and document appropriate and proportionate measures based on an all-risk analysis. The increased and broadened requirements in NIS2, which are certainly justified by the increased cybersecurity threats, must also be weighed against an overly burdensome bureaucracy for authorities and private actors. In addition, this thesis analyzes the format of NIS2 and its potential impact on the internal market of the EU. Given the fact that it is a market regulation, a proportionality assessment is required in relation to the competitive disadvantages that an overly burdensome legislation may result in for private actors. At the same time, sanctions and enforcement measures must be sufficiently dissuasive. In conclusion, this thesis argues NIS2 to bring important changes, albeit still posing risks of further fragmenting the cybersecurity levels in the union due to the flexibility given to member states. However, NIS2 is a key step in the right direction towards achieving a high common level of cybersecurity across member states.

NIS2

digital infrastructure

digital providers

NIS

information security

cybersecurity

digitalization

essential entity

important entities

EU Regulation

EU Law

NIS2

digital infrastruktur

digitala leverantörer

NIS

EU-CyCLONe

informationssäkerhet

cybersäkerhet

digitalisering

väsentlig entitet

viktiga entiteter

EU-förordning

EU-rätt

Law and Society

Juridik och samhälle

Correlated low temperature states of YFe2Ge2 and pressure metallised NiS2

Semeniuk, Konstantin

January 2018

While the free electron model can often be surprisingly successful in describing properties of solids, there are plenty of materials in which interactions between electrons are too significant to be neglected. These strongly correlated systems sometimes exhibit rather unexpected, unusual and useful phenomena, understanding of which is one of the aims of condensed matter physics. Heat capacity measurements of paramagnetic YFe$_{2}$Ge$_{2}$ give a Sommerfeld coefficient of about 100 mJ mol$^{−1}$ K$^{−2}$, which is about an order of magnitude higher than the value predicted by band structure calculations. This suggests the existence of strong electronic correlations in the compound, potentially due to proximity to an antiferromagnetic quantum critical point (QCP). Existence of the latter is also indicated by the non-Fermi liquid T$^{3/2}$ behaviour of the low temperature resistivity. Below 1.8 K a superconducting phase develops in the material, making it a rare case of a non-pnictide and non-chalcogenide iron based superconductor with the 1-2-2 structure. This thesis describes growth and study of a new generation of high quality YFe$_{2}$Ge$_{2}$ samples with residual resistance ratios reaching 200. Measurements of resistivity, heat capacity and magnetic susceptibility confirm the intrinsic and bulk character of the superconductivity, which is also argued to be of an unconventional nature. In order to test the hypothesis of the nearby QCP, resistance measurements under high pressure of up to 35 kbar have been conducted. Pressure dependence of the critical temperature of the superconductivity has been found to be rather weak. μSR measurements have been performed, but provided limited information due to sample inhomogeneity resulting in a broad distribution of the critical temperature. While the superconductivity is the result of an effective attraction between electrons, under different circumstances the electronic properties of a system can instead be dictated by the Coulomb repulsion. This is the case for another transition metal based compound NiS$_{2}$, which is a Mott insulator. Applying hydrostatic pressure of about 30 kbar brings the material across the Mott metal-insulator transition (MIT) into the metallic phase. We have used the tunnel diode oscillator (TDO) technique to measure quantum oscillations in the metallised state of NiS$_{2}$, making it possible to track the evolution of the principal Fermi surface and the associated effective mass as a function of pressure. New results are presented which access a wider pressure range than previous studies and provide strong evidence that the effective carrier mass diverges close to the Mott MIT, as expected within the Brinkman-Rice scenario and predicted in dynamical mean field theory calculations. Quantum oscillations have been measured at pressures as close to the insulating phase as 33 kbar and as high as 97 kbar. In addition to providing a valuable insight into the mechanism of the Mott MIT, this study has also demonstrated the potential of the TDO technique for studying materials at high pressures.